Categories: Blog

HIPAA: Can you prove your data has NOT been compromised?

Proof, rarely a concern

Proof that the data was safe at a particular point in time is rarely a concern for most organizations implementing security controls. There are many other areas believed to be more important. Hence, the focus is mostly on protecting information by assessing and mitigating risk associated with its loss. Part of this emphasis involves auditing access to systems in various ways, to have a record and hopefully get notified when security incidents occur. Unfortunately, auditing access to the data itself (files, databases), is rarely a priority. While the auditors accept this general approach, lack of information when it comes to which files were accessed and by whom, can turn against you in the case of a security incident.

Why is proof critical?

Somewhere at the confluence between HIPAA Security Rule and HIPAA Privacy Rule, lays a less known implication, according to which a presumed security incident without any proof that data was NOT affected, must be reported as any other definite data breach. Consequently, the entity finding itself in this situation undergoes the same process as an entity suffering a clear and proven data breach:

  • Notifications to affected persons and authorities: in lack of information, most probably all customers and employees are considered involved;
  • Costs of forensic investigations: usually third party companies are contracted to conduct such activities;
  • Costs with customer assistance: most businesses in this situation implement call centers to help their clients with information related to the breach;
  • Costs with professional financial audit: if cardholder information is presumed lost, companies offer affected people free financial monitoring over the period following the data breach.
  • Legal costs, fines, etc.

Some degree of confusion exists around the topic, as initially the need to report a breach was only enforced when there was proof that data was affected. However, starting with the update “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification  Rules  Under  the  Health  Information  Technology  for  Economic and  Clinical  Health  Act  and  the  Genetic  Information  Nondiscrimination  Act” on January 25th, 2013:

Impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.

Example of how lack of proof triggers a breach report

The security incident at Valley Anesthesiology and Pain Consultants (VAPC) is an example of such situation. In this case, there was a presumed security incident without any proof that data was affected, but was still reported under HIPAA, as neither evidence that the data was not affected could be found.

On June the 13th 2016, the management learned about a possible security incident occurring on March the 30th, whereby an external attacker has gained access to critical computer systems. The company has hired forensic investigators who did not find any evidence that the data on these systems was compromised. Nevertheless, since neither proof that the data was untouched could be found, VAPC has started notifying affected persons and made an official report on August 11, 2016. Over 882,000 customers and all employees were considered affected by this incident.

How we can help

TEMASOFT FileMonitor, our file monitoring software, offers detailed data access auditing functionality enabling healthcare companies to:

  • Deliver alerts when access to data occurs outside configured parameters (user accounts, time intervals, authorized applications, etc.);
  • Maintain detailed audit trails of basic and complex file operations, enabling entities to prove whether access to data occurred or not, together with sufficient information to allow further forensic correlation with other audit trails related to security incidents.

TEMASOFT offers this functionality for FREE for up to two workstation PCs, for personal use.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.

References:

http://www.valley.md/securityupdate

http://www.privacydatabreach.com/2016/08/arizona-anesthesia-group-notifies-882590-patients-of-data-breach/

https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

This post was last modified on August 21, 2023 7:27 am

Calin Ghibu

Technical background: over 15 years experience in testing, developing, researching and managing network security solutions. Currently focusing on information security and IT management. Specialties: Network audit, information security, web security, endpoint security, perimeter security SIEM, legal compliance, competitive intelligence.

Share
Published by
Calin Ghibu
Tags: filemonitor

Recent Posts

The Role of File Monitoring Solutions in Maintaining File Integrity

In the digital world, information is often stored and transferred through files. From the most…

May 12, 2023

Guide to Conducting an Efficient File Access Permissions Audit for Admins and Technology Managers

Introduction Data security is more important than ever in today's fast-paced digital world. One critical…

April 9, 2023

File Integrity Monitoring: What It Is and Why It Matters

Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…

March 5, 2023

Monitoring Essential Microsoft IIS Server Configuration Files for Enhanced Security

Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…

February 25, 2023

Tracking file changes helps admins solve server configuration problems

File tracking is an important aspect of server administration, and it can help administrators detect…

February 1, 2023

Three reasons why admins should use file monitoring solutions

File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…

January 6, 2023